| Message ID | 20260513081001.714630-2-cassel@kernel.org |
|---|---|
| State | New |
| Headers | show |
| Series | ata: libata-eh: queue hotplug work on the system_dfl_long_wq workqueue | expand |
On 5/13/26 5:10 PM, Niklas Cassel wrote: > ata_scsi_port_error_handler() uses schedule_delayed_work() to queue > the ap->hotplug_task work. > > schedule_delayed_work() always uses the system_percpu_wq per-cpu > workqueue. > > ata_scsi_scan_host() queues the ap->hotplug_task work on the unbound > system_dfl_long_wq workqueue. > > It seems counter-intuitive to queue the same work on two different > workqueues. Thus, change ata_scsi_port_error_handler() to also queue > the ap->hotplug_task work on the system_dfl_long_wq workqueue, such > that the work is always queued on the same workqueue. > > Signed-off-by: Niklas Cassel <cassel@kernel.org> Looks OK. Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: - [High] The patch fails its stated goal of unifying workqueues, leaving a Use-After-Free concurrency vulnerability intact due to broken workqueue non-reentrancy. -- commit 30d96f652048a28eb19aca7f2ef201c2aea08917 Author: Niklas Cassel <cassel@kernel.org> ata: libata-eh: queue hotplug work on the system_dfl_long_wq workqueue This commit changes ata_scsi_port_error_handler() to queue hotplug_task on system_dfl_long_wq, attempting to unify the workqueue usage with ata_scsi_scan_host(). > ata_scsi_scan_host() queues the ap->hotplug_task work on the unbound > system_dfl_long_wq workqueue. Is this description of ata_scsi_scan_host() accurate? Looking at ata_scsi_scan_host(), it queues the work on system_long_wq, not the unbound system_dfl_long_wq. > diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c > index 9a4b67b90b17b..6cb79a09423dd 100644 > --- a/drivers/ata/libata-eh.c > +++ b/drivers/ata/libata-eh.c > @@ -819,7 +819,7 @@ void ata_scsi_port_error_handler(struct Scsi_Host *host, struct ata_port *ap) > ap->pflags &= ~ATA_PFLAG_LOADING; > else if ((ap->pflags & ATA_PFLAG_SCSI_HOTPLUG) && > !(ap->flags & ATA_FLAG_SAS_HOST)) > - schedule_delayed_work(&ap->hotplug_task, 0); > + queue_delayed_work(system_dfl_long_wq, &ap->hotplug_task, 0); Could this still leave the port vulnerable to a use-after-free regression during teardown? Since ata_scsi_scan_host() uses system_long_wq and this now uses system_dfl_long_wq, the same work can still be queued on two different workqueues, bypassing the workqueue non-reentrancy checks. If the work was last queued to system_dfl_long_wq, would a call to cancel_delayed_work_sync(&ap->hotplug_task) during ata_port_detach() only flush that pool and return immediately, missing an instance still executing on system_long_wq? Should this be changed to use system_long_wq to match ata_scsi_scan_host() and ensure the synchronization actually waits for all work to complete?
On Thu, May 14, 2026 at 03:07:41AM +0000, sashiko-bot@kernel.org wrote: > Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: > - [High] The patch fails its stated goal of unifying workqueues, leaving a Use-After-Free concurrency vulnerability intact due to broken workqueue non-reentrancy. > -- > > commit 30d96f652048a28eb19aca7f2ef201c2aea08917 > Author: Niklas Cassel <cassel@kernel.org> > > ata: libata-eh: queue hotplug work on the system_dfl_long_wq workqueue > > This commit changes ata_scsi_port_error_handler() to queue hotplug_task > on system_dfl_long_wq, attempting to unify the workqueue usage with > ata_scsi_scan_host(). > > > ata_scsi_scan_host() queues the ap->hotplug_task work on the unbound > > system_dfl_long_wq workqueue. > > Is this description of ata_scsi_scan_host() accurate? > > Looking at ata_scsi_scan_host(), it queues the work on system_long_wq, not > the unbound system_dfl_long_wq. > > > diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c > > index 9a4b67b90b17b..6cb79a09423dd 100644 > > --- a/drivers/ata/libata-eh.c > > +++ b/drivers/ata/libata-eh.c > > @@ -819,7 +819,7 @@ void ata_scsi_port_error_handler(struct Scsi_Host *host, struct ata_port *ap) > > ap->pflags &= ~ATA_PFLAG_LOADING; > > else if ((ap->pflags & ATA_PFLAG_SCSI_HOTPLUG) && > > !(ap->flags & ATA_FLAG_SAS_HOST)) > > - schedule_delayed_work(&ap->hotplug_task, 0); > > + queue_delayed_work(system_dfl_long_wq, &ap->hotplug_task, 0); > > Could this still leave the port vulnerable to a use-after-free regression > during teardown? > > Since ata_scsi_scan_host() uses system_long_wq and this now uses > system_dfl_long_wq, the same work can still be queued on two different > workqueues, bypassing the workqueue non-reentrancy checks. This patch is based on libata/for-next, where ata_scsi_scan_host() uses system_dfl_long_wq, not system_long_wq, so the review comment by Sashiko is incorrect. Damien: it seems that Sashiko uses libata/HEAD by default. I guess we could start pushing libata/for-next to libata/HEAD, or we would need to reach out to Sashiko to make them change the default branch that the use to apply linux-ide patches to. Kind regards, Niklas
On Wed, 13 May 2026 10:10:01 +0200, Niklas Cassel wrote: > ata_scsi_port_error_handler() uses schedule_delayed_work() to queue > the ap->hotplug_task work. > > schedule_delayed_work() always uses the system_percpu_wq per-cpu > workqueue. > > ata_scsi_scan_host() queues the ap->hotplug_task work on the unbound > system_dfl_long_wq workqueue. > > [...] Applied to libata/linux.git (for-next), thanks! [1/1] ata: libata-eh: queue hotplug work on the system_dfl_long_wq workqueue https://git.kernel.org/libata/linux/c/9e5137b9 Kind regards, Niklas
diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c index 9a4b67b90b17..6cb79a09423d 100644 --- a/drivers/ata/libata-eh.c +++ b/drivers/ata/libata-eh.c @@ -819,7 +819,7 @@ void ata_scsi_port_error_handler(struct Scsi_Host *host, struct ata_port *ap) ap->pflags &= ~ATA_PFLAG_LOADING; else if ((ap->pflags & ATA_PFLAG_SCSI_HOTPLUG) && !(ap->flags & ATA_FLAG_SAS_HOST)) - schedule_delayed_work(&ap->hotplug_task, 0); + queue_delayed_work(system_dfl_long_wq, &ap->hotplug_task, 0); if (ap->pflags & ATA_PFLAG_RECOVERED) ata_port_info(ap, "EH complete\n");
ata_scsi_port_error_handler() uses schedule_delayed_work() to queue the ap->hotplug_task work. schedule_delayed_work() always uses the system_percpu_wq per-cpu workqueue. ata_scsi_scan_host() queues the ap->hotplug_task work on the unbound system_dfl_long_wq workqueue. It seems counter-intuitive to queue the same work on two different workqueues. Thus, change ata_scsi_port_error_handler() to also queue the ap->hotplug_task work on the system_dfl_long_wq workqueue, such that the work is always queued on the same workqueue. Signed-off-by: Niklas Cassel <cassel@kernel.org> --- drivers/ata/libata-eh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)